f6f7ea41035b81719add94cc16333ddfcc8b41dd1bc8ced09ffbe446e92eab34

General

Target

6ffe039fd4013c29f8a3d52b666053ae.exe
Size

3.9MB
MD5

6ffe039fd4013c29f8a3d52b666053ae
SHA1

0974d3454774a178346862e835cff8473d593185
SHA256

f6f7ea41035b81719add94cc16333ddfcc8b41dd1bc8ced09ffbe446e92eab34
SHA512

bc303a6581e82fbf86aa9ab30b64d50dd964b20900a649ba8dafc214e9fc1e3cd7d1e0a46e73604c3c888fd67fb097f5fa0b0640ca9fe94fe7ce921582109b56
SSDEEP

98304:jYvaiWUWLoX3uyFBsPB2jWghGCeoX3uyFBsP9W4T0xoX3uyFBsPB2jWghGCeoX3M:8e5LILFBsPBu8ILFBsP5TAILFBsPBu8j

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1468	6ffe039fd4013c29f8a3d52b666053ae.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	6ffe039fd4013c29f8a3d52b666053ae.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3132-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/1468-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0007000000023221-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3100	1468	WerFault.exe	17

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3132	6ffe039fd4013c29f8a3d52b666053ae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3132	6ffe039fd4013c29f8a3d52b666053ae.exe
1468	6ffe039fd4013c29f8a3d52b666053ae.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 1468	3132	6ffe039fd4013c29f8a3d52b666053ae.exe	17
PID 3132 wrote to memory of 1468	3132	6ffe039fd4013c29f8a3d52b666053ae.exe	17
PID 3132 wrote to memory of 1468	3132	6ffe039fd4013c29f8a3d52b666053ae.exe	17
PID 1468 wrote to memory of 2800	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	27
PID 1468 wrote to memory of 2800	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	27
PID 1468 wrote to memory of 2800	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	27
PID 1468 wrote to memory of 3824	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	25
PID 1468 wrote to memory of 3824	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	25
PID 1468 wrote to memory of 3824	1468	6ffe039fd4013c29f8a3d52b666053ae.exe	25
PID 3824 wrote to memory of 680	3824	cmd.exe	23
PID 3824 wrote to memory of 680	3824	cmd.exe	23
PID 3824 wrote to memory of 680	3824	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe
"C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe
  C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 616
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\xoi1t.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe" /TN 0Su7L8S745c1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1468 -ip 1468
1⤵
PID:3112

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ffe039fd4013c29f8a3d52b666053ae.exe

Filesize
25KB

MD5
81681e0fb738279c1dce7d20af9544cb

SHA1
c1123f754db5244763608f52159eadd7a607514b

SHA256
9b0e4fb43d2d836e8341b34724244ffc88aa8150b682356f39ffb0fbdc90434a

SHA512
c2fafd0ad9ccbb2cd6609e668628a6ec60c2b220c092237c0d9cfcd2efbec9a9a9a869b9ae66e13ca5bb3375743ef6e3bf350342085c6706ff3c7ce6e7cd36d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoi1t.xml

Filesize
1KB

MD5
5f994ca15d03b426cff7c6f02d61ae62

SHA1
30a1aa8913a0e31af51d06174f5650a819f60fa7

SHA256
bc0faa89382429750be9c54c0f500b715aa53bb59489cda7452267ba896b768d

SHA512
3fc3ccc9e6321084f0d575dd07e75ee9dc0764864293061a7abb5a0c985b034a20c0c8a866e711bd92a55567f20c4ede063b6211b1ad7403ec610e54bbd44418

Download Submit
memory/1468-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1468-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1468-21-0x0000000025040000-0x00000000250BE000-memory.dmp

Filesize
504KB

Download
memory/1468-41-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3132-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3132-7-0x0000000024FE0000-0x000000002505E000-memory.dmp

Filesize
504KB

Download
memory/3132-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3132-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads